Phishing for info on Twitter

Note: I originally submitted this elsewhere to be published but it never did so.. I’ll publish it on my own blogs.

@tarotbyarwen: *poke poke poke*

@syrlinus: yes?

@tarotbyarwen: I got 98% on twittergrader! Squee!

@syrlinus: huh? Wazzat? Lemme check.

I go to the website and see that it asks for a username and password. Warning bells and spidey senses are being alerted. Ok. So maybe it’d didn’t quite happen like that. But, one of the fastest growing social networking tools of late has been Twitter, a quick messaging tool that utilizes UDP packets. It’s a great tool to send out quick updates. It is, to use the analogy, nothing more than a true virtual gab fest. People exchange “info” and talk about almost nothing at all. Seinfeld would be proud. But in recent weeks, a number of sites have popped up, trying to take advantage of people’s egos to one-up each other in regards to their ranking on twitter. That is, the more people who follow you, the better the rating; the more people talk to you with directed messages; the more you talk, etc. (amongst other factors). In a nutshell, how popular are you to the rest of the world.

One way that they do this is request the username and password utilized for twitter. The person logs in with this and then the “attacker” can then use that account to send out spam or steal someone’s reputation.

And online, one’s reputation can pretty much be the only thing that carries or is important, particularly so during these hard times. There are no specific inherent security tools but there are some simple steps that you can do to ensure a secure Twitter experience.

  1. Change your password regularly: The only thing that ever should be static in life is a mosquito pond. Otherwise, everything should change at some point. Passwords are no exception. When online, you should change your password at least every 6-12 weeks. If you suspect or potentially are suspicious that your password has been compromised, change it sooner.
  2. Be complex: Few things in life are simple (other than toast and butter). You’re password should be a complex secret that only you would know or guess. I try to use combinations of things that have some unique meaning to me. For example, I might use Blu3Bl@nk3t since my name is Linus (I don’t but you get the idea). The combination of upper, lower, numbers and special characters as well as the length makes it hard to guess or crack.
  3. Never give out your password: the exception would be the Twitter application itself but only use those that are sanctioned by Twitter or have a high visibility rate (that is, other friends you know – ideally in person – recommend).
  4. Be careful what you say: This method of communication uses non-encrypted method of communication. Because of this, you may not want to trade the latest exciting news from the company about the new product to be released in a couple of months – unless your Marketing department has ok’d that information to be released. Even when talking with colleagues online, watch out for that.

Because of the inherent lack of security in Twitter itself, it’s up to the individual user to practice safe twittering. Be aware, be careful and be thoughtful. Don’t just jump at all the gadgets, ranking sites, etc.

As for Twitterrank, that one got busted the other day as I wrote this, claims that the intent wasn’t username/password harvesting. It may be true but it does highlight the importance of being vigilant without FUDing. That’s the other side of Twitter: news travels fast. 😉

One thought on “Phishing for info on Twitter

  1. MsM!!!!!!!!!!!! This is JJsNasty1 from #MJfans… we have all reunited and even go to #MJfans when we can. We also have a Facebook group, “I was (and still am) a #mjfan!”

Comments are closed.